From 914ea2bd6037ae67c315a57083f20b12ae51a179 Mon Sep 17 00:00:00 2001
From: Koffi Nogbe <kn4078@att.com>
Date: Wed, 4 Sep 2019 09:57:57 -0400
Subject: [PATCH] Add audit database user for audit purposes

This commit adds an audit user to the postgresql database which
will have only SELECT privileges on the postgresql database tables.
This is accomplished by setting up audit user creation parameters
in the Patroni bootstrap environment settings, according to (1).

(1) https://patroni.readthedocs.io/en/latest/ENVIRONMENT.html

Change-Id: Idf1cd90b5d093f12fa4a3c5c794d4b5bbc6c8831
---
 postgresql/templates/secret-audit.yaml | 26 ++++++++++++++++++++++++++
 postgresql/templates/statefulset.yaml  | 12 ++++++++++++
 postgresql/values.yaml                 |  5 +++++
 3 files changed, 43 insertions(+)
 create mode 100644 postgresql/templates/secret-audit.yaml

diff --git a/postgresql/templates/secret-audit.yaml b/postgresql/templates/secret-audit.yaml
new file mode 100644
index 000000000..64dc3a41e
--- /dev/null
+++ b/postgresql/templates/secret-audit.yaml
@@ -0,0 +1,26 @@
+{{/*
+Copyright 2020 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{- if .Values.manifests.secret_audit }}
+{{- $envAll := . }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Values.secrets.postgresql.audit }}
+type: Opaque
+data:
+  AUDIT_PASSWORD: {{ .Values.endpoints.postgresql.auth.audit.password | b64enc }}
+{{- end }}
diff --git a/postgresql/templates/statefulset.yaml b/postgresql/templates/statefulset.yaml
index b0e257eba..38a6af4a1 100644
--- a/postgresql/templates/statefulset.yaml
+++ b/postgresql/templates/statefulset.yaml
@@ -332,6 +332,18 @@ spec:
               value: $(PATRONI_SUPERUSER_PASSWORD)
             - name: PATRONI_{{ .Values.endpoints.postgresql.auth.admin.username }}_OPTIONS
               value: 'createrole,createdb'
+{{- if .Values.manifests.secret_audit }}
+            - name: AUDIT_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.secrets.postgresql.audit }}
+                  key: AUDIT_PASSWORD
+            # Adding the audit user with no options just adds the user without
+            # any GRANTs. This means the user gets to do only what default
+            # PUBLIC permissions allow, which is only to SELECT from tables.
+            - name: PATRONI_{{ .Values.endpoints.postgresql.auth.audit.username }}_PASSWORD
+              value: $(AUDIT_PASSWORD)
+{{- end }}
             - name: PGSSLROOTCERT
               value: {{ .Values.secrets.pki.client_cert_path }}/ca.crt
             - name: PGSSLCERT
diff --git a/postgresql/values.yaml b/postgresql/values.yaml
index 402d24d50..9181412ae 100644
--- a/postgresql/values.yaml
+++ b/postgresql/values.yaml
@@ -378,6 +378,7 @@ secrets:
     replica: postgresql-replication-pki
     server: postgresql-server-pki
     exporter: postgresql-exporter
+    audit: postgresql-audit
 
 endpoints:
   cluster_domain_suffix: cluster.local
@@ -403,6 +404,9 @@ endpoints:
       exporter:
         username: psql_exporter
         password: psql_exp_pass
+      audit:
+        username: audit
+        password: password
     hosts:
       default: postgresql
     host_fqdn_override:
@@ -445,6 +449,7 @@ manifests:
   secret_replica: true
   secret_server: true
   secret_etc: true
+  secret_audit: true
   service: true
   statefulset: true
   cron_job_postgresql_backup: false